Page 1 of 2

Should I REST or SOAP

Posted: Wed Nov 07, 2007 5:50 am
by alex.barylski
I am familiar with SOAP yet have never used it (to my knowledge) and had no clue about REST until just now after searching Google.

I need to transfer sensitive data between two remote machines as web services...

It sounds as though REST is for accessing "resources" not "services" so any REST implementation that includes complexities like, authentication is over kill.

With this insight, it would seem logical one would then want to consider using SOAP.

Which should I use? What are the true differences between them? I recall seeing a SOAP class in Zend, is it complicated, could I use it to base my own classes on? Quickly and effectively?

Posted: Wed Nov 07, 2007 8:52 am
by Jenk
REST. Period. SOAP == bloat.

REST is is REST, it is not "for" anything, it is simply a term for describing the method involved. Some try to describe it as a protocol.

You send a string (via GET HTTP, usually) and can retrieve data in any format you wish.

Posted: Wed Nov 07, 2007 1:47 pm
by Kieran Huggins
REST FTW.

http://phprestsql.sourceforge.net might be useful?

Posted: Wed Nov 07, 2007 3:48 pm
by Christopher
REST and SOAP are not really that comparable though they seem to get lumped together as methods of communication. REST is an architectural style and SOAP is a protocol. You may want to compare SOAP and RPC, and then in turn compare RPC and REST to get a sense of the continuum of communication styles. They all exist because they serve different requirements.

Posted: Wed Nov 07, 2007 3:57 pm
by alex.barylski
Most of the articles I've read really stress that SOAP is the protocol and REST is the architectural style, which I understand, as there are few specifics to using REST to GETPOST HTTP requests and the format is whatever is dictated by the returned XML or the format of the GET requests.

However, what is unclear, is how I might make REST secure for accessing/updating sensitive records when using REST? It seems some feel REST is not to be used for secure transactions?

I could build a simple API over top REST so that it mimics something of SOAP with authentication, etc...is that most REST apps work when they implement security?

Have the REST server return a session id to the client after authenticating and use that session ID there after on each request to the server?

How would you all recommend implementing a layer of authentication to prevent outside access to sensitive data when using REST?

Believe, REST is the way I *want* to go but I'm unclear whether it's capable or best practice to use under the security requirement???

Any opinions. :)

Posted: Wed Nov 07, 2007 5:20 pm
by alex.barylski
wikipedia wrote:HTTP separates the notions of a web server and a web browser. This allows the implementation of each to vary from the other based on the client/server principle. When used RESTfully, HTTP is stateless. Each message contains all the information necessary to understand the request when combined with state at the resource. As a result, neither the client nor the server needs to remember any communication-state between messages. Any state retained by the server must be modeled as a resource.
Doesn't sound like REST would be tecnically suited for anything of sensitive nature.

Posted: Wed Nov 07, 2007 5:26 pm
by Benjamin
REST ALTWD

Posted: Wed Nov 07, 2007 6:38 pm
by Kieran Huggins
astions wrote:REST ALTWD
All Lettuce & Tomato Wheel Drive?

http://www.berenddeboer.net/rest/authentication.html could be useful

REST really does make your life easier, it's "the right way" to have model access.

Posted: Thu Nov 08, 2007 4:29 am
by Jenk
How would REST be any less secure than SOAP? They both use HTTP ..

REST could be called an architectural style, but it's nothing more than a dynamic protocol - albeit hard to define as one.

Posted: Thu Nov 08, 2007 6:10 am
by Maugrim_The_Reaper
HTTP Authentication ring a bell? ;)

REST can be secured - I think the main problem that's noted is that some REST authentication methods may leave a service open to phishing and man-in-the-middle vulnerabilities. This is largely a design problem - not a fundamental one for REST. It's relatively easy to impose API keys, shared/negotiated secret keys, etc, to defeat MITM or weak authentication. A classic solution is to sign all messages between server and client with a shared secret key to assert that messages are valid (not MITM junk).

If you're exposing a public service to authenticated members, OAuth is certainly worth a good look. It's very new and presently implemented by Twitter and Magnolia.

Posted: Thu Nov 08, 2007 7:04 am
by Jenk
That still begs the same question.. how is SOAP more secure than REST when both use the same HTTP service. SOAP is a defined XML format, still uses strings over HTTP. REST is a dynamic string over HTTP. :)

Posted: Thu Nov 08, 2007 2:02 pm
by Christopher
Jenk wrote:That still begs the same question.. how is SOAP more secure than REST when both use the same HTTP service. SOAP is a defined XML format, still uses strings over HTTP. REST is a dynamic string over HTTP. :)
SOAP, RPC or some kind of REST communication are all secure -- over HTTPS. ;)

As I said above, they are different styles of communication that meet different requirements. It's a lot like choosing between TCP and UDP, different for different requirements.

Better one is not...

Posted: Thu Nov 08, 2007 2:08 pm
by alex.barylski
That still begs the same question.. how is SOAP more secure than REST when both use the same HTTP service. SOAP is a defined XML format, still uses strings over HTTP. REST is a dynamic string over HTTP.
Well the fact that REST advocates seem to stress the importance of "stateless" behavior makes it less secure. Sure you could integrate authentication but without sessions or something, you would have to pass the user/pass in everytime you make a request, so unless you used HTTPS, wouldn't that be insecure?

As for the use of an API key...I have considered possibly using something like a private key implementation to encrypt the messages...

Maurgim, thanks for that OAuth...I'll certainly check it out.

Cheers :)

Posted: Thu Nov 08, 2007 2:24 pm
by Luke
All Lettuce & Tomato Wheel Drive?
That was really funny. LOL :D

Posted: Fri Nov 09, 2007 1:31 am
by Kieran Huggins
I'm happy to entertain, but I'm still confused... so very confused.